Over at the "Internet protocol Jornal (issue 10.4) you can find a good read on the dangers of IP spoofing. This problems is very old and very wide known. Even when I was in networking (1997-2002) this was wideley known and there was an easy cure. So I dont understand why Cisco decided to publish this now, a decade ago it would have been yesterdays news.

Everyone who ever read the TCP/IP bible (TCP/IP illustrated) knows this. All you have to configure on a router is IP UNICAST REVERSE PATH, in combination with cisco CEF. Then all packets that are routed are inspected. If the sender address (the From IP address) is in the routing table, it is checked to see if the router would route it the packet would have been send over the same interface the packet orginated from. If so, the sender is valid and the packet is routed, if not, it is proabbly a forged packet and it is dropped. That simple, one command and there is no IP spoofing anymore. In 1998 cisco released this feature I think, a decade ago!

All ISP's (at least in the Netherlands) have this kind of ingress filtering acitvated on their routers since a decade, it is impossible to spoof and route a packet in the Netherlands and most parts of the world for that matter.

I remember though that Casema (which I used as a cable modem provider between 1996-2001) didnt have this feature for some time. You could route a packet towards 1.1.1.1 with the sender address 10.255.255.255. 1.1.1.1 would give an "ICMP unreachable message" from the border routers of casema and it would be send towards the complete internal network -all systems- of Casema creating a kind of internal DoS.

But to publish this article one decade after a decade seems like rerunning old stories. 10 years is on the net a lifetime.